禁止访问角色“认知角色” [英] Access to Role 'cognito role' is forbidden
问题描述
我遇到这个奇怪的错误
禁止访问角色认知角色。
I'm getting this strange error Access to Role 'cognito role' is forbidden.
在这里创建云形成堆栈时,这就是我的云形成
while creating a cloud formation stack here is my cloud formation file in yaml format.
我基本上是在创建s3存储桶和cognito身份,以方便客户端访问我的存储桶,除了此错误之外,整个工作正常, b $ b禁止访问角色 phototest-cognitoRole-1AMKUVXUXAJ5H。 (服务:AmazonCognitoIdentity;状态代码:400;错误代码:NotAuthorizedException
I'm basically creating a s3 bucket and a cognito identity to facilate client side access to my bucket the whole thing is working fine except this error Access to Role 'phototest-cognitoRole-1AMKUVXUXAJ5H' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException
AWSTemplateFormatVersion: 2010-09-09
资源:
photoBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: it-academy-photos-bucket
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET,POST,PUT]
AllowedOrigins: ['*']
Id: myrules
cognitoRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: Allow
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- sts:AssumeRoleWithWebIdentity
Policies:
-
PolicyName: "photo_client_policy"
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Sid: VisualEditor1
Effect: Allow
Action:
- s3:PutObject
- s3:GetObjectAcl
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetObjectVersionAcl
- s3:PutObjectVersionTagging
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:PutBucketCORS
- s3:PutObjectAcl
- s3:GetObjectVersion
Resource: "*"
cognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: "photo_bucket"
AllowUnauthenticatedIdentities: true
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !Ref cognitoRole
推荐答案
我遇到了同样的问题,并且发现未经身份验证的角色需要Arn而不是逻辑ID。这应该可以解决问题:
I was having the same problem and figured out the unauthenticated role needs the Arn and not the logical ID. This should fix the issue:
cognitoIdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref cognitoIdentityPool
Roles:
unauthenticated: !GetAtt cognitoRole.Arn
这篇关于禁止访问角色“认知角色”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!